Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
05/01/2024, 01:02
Behavioral task
behavioral1
Sample
23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe
Resource
win7-20231129-en
General
-
Target
23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe
-
Size
920KB
-
MD5
753505f665835e0f8542f83252d8251c
-
SHA1
880a37b15bec07ce4ff748fb2e8d138754c8b636
-
SHA256
23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4
-
SHA512
91d69bcd0b6dd9e096a31db9c3778432088c69e6d329c12bba7e1803bf0dd7325338d42c76d0b6cb6a8e954a0e931754a3c7cc2f07b7c8b21700ac9b6ad9137c
-
SSDEEP
24576:iD54MROxnFt34cirrcI0AilFEvxHPf8oom:iSMijgrrcI0AilFEvxHP
Malware Config
Extracted
orcus
777
10.86.6.129:3333
bc671c436af448dd952335335bfcb715
-
autostart_method
TaskScheduler
-
enable_keylogger
true
-
install_path
%programfiles%\Orcus\Orcus.exe
-
reconnect_delay
10000
-
registry_keyname
Orcus
-
taskscheduler_taskname
Windows Start
-
watchdog_path
AppData\WindowsUpdate.exe
Signatures
-
Orcus main payload 5 IoCs
resource yara_rule behavioral1/files/0x00070000000143f9-34.dat family_orcus behavioral1/files/0x00070000000143f9-32.dat family_orcus behavioral1/files/0x00070000000143f9-31.dat family_orcus behavioral1/files/0x00070000000143f9-29.dat family_orcus behavioral1/files/0x00070000000143f9-43.dat family_orcus -
Orcurs Rat Executable 7 IoCs
resource yara_rule behavioral1/memory/2652-0-0x0000000000AC0000-0x0000000000BAC000-memory.dmp orcus behavioral1/memory/3028-35-0x00000000002E0000-0x00000000003CC000-memory.dmp orcus behavioral1/files/0x00070000000143f9-34.dat orcus behavioral1/files/0x00070000000143f9-32.dat orcus behavioral1/files/0x00070000000143f9-31.dat orcus behavioral1/files/0x00070000000143f9-29.dat orcus behavioral1/files/0x00070000000143f9-43.dat orcus -
Executes dropped EXE 4 IoCs
pid Process 3024 WindowsInput.exe 2616 WindowsInput.exe 3028 Orcus.exe 2544 Orcus.exe -
Loads dropped DLL 2 IoCs
pid Process 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\WindowsInput.exe 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe File created C:\Windows\SysWOW64\WindowsInput.exe.config 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe File created C:\Windows\SysWOW64\WindowsInput.InstallState WindowsInput.exe -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\Orcus\Orcus.exe 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe File opened for modification C:\Program Files (x86)\Orcus\Orcus.exe 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe File created C:\Program Files (x86)\Orcus\Orcus.exe.config 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 3028 Orcus.exe Token: SeDebugPrivilege 2544 Orcus.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3028 Orcus.exe 2544 Orcus.exe -
Suspicious use of SendNotifyMessage 2 IoCs
pid Process 3028 Orcus.exe 2544 Orcus.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3028 Orcus.exe 2544 Orcus.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2652 wrote to memory of 3024 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe 28 PID 2652 wrote to memory of 3024 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe 28 PID 2652 wrote to memory of 3024 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe 28 PID 2652 wrote to memory of 3024 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe 28 PID 2652 wrote to memory of 3028 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe 30 PID 2652 wrote to memory of 3028 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe 30 PID 2652 wrote to memory of 3028 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe 30 PID 2652 wrote to memory of 3028 2652 23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe 30 PID 2460 wrote to memory of 2544 2460 taskeng.exe 32 PID 2460 wrote to memory of 2544 2460 taskeng.exe 32 PID 2460 wrote to memory of 2544 2460 taskeng.exe 32 PID 2460 wrote to memory of 2544 2460 taskeng.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe"C:\Users\Admin\AppData\Local\Temp\23e97c543db02964647d9adf354be9fc4506be3fb6a600fc4d77f69480659bc4.exe"1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe" --install2⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3024
-
-
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3028
-
-
C:\Windows\SysWOW64\WindowsInput.exe"C:\Windows\SysWOW64\WindowsInput.exe"1⤵
- Executes dropped EXE
PID:2616
-
C:\Windows\system32\taskeng.exetaskeng.exe {B6B3AE42-E25B-41CC-8312-09DAE1C526FD} S-1-5-21-3470981204-343661084-3367201002-1000:GLTGRJAG\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2460 -
C:\Program Files (x86)\Orcus\Orcus.exe"C:\Program Files (x86)\Orcus\Orcus.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:2544
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219KB
MD5119abef9b2f3b8b4f0605027c3a89f28
SHA13bfc63741106d3d4d91237f822e02c1ecf08e562
SHA2560023b189f400fd05af0406eb00f2a0447079df7230dea5e77c7ec96d95480e88
SHA51289768daf39248661cf4b8d8a4f040b059d2b7e06e1bcda71480e8366dbd150aa08224c520dda587cce37f15068931d39854e4f87b0b46367006f733e050d9603
-
Filesize
275KB
MD5ec5623d7bcf17a8ad177a0abaa0d8b53
SHA103ec25e7b81c115761ed48e6c4eb97581c546f82
SHA2568baffaa8ba8adcc7e3281f0629ef6cecb5817b56847f5aef35b974a8b223bf8d
SHA512fc5ae721e73013077c4f49ef0c55b73c30ef97967f1ccebd319e3f4970ac8a37be6e5ff564626a11776d626477a298b4cf417f505a12cb3bcd7dbdc2726a6365
-
Filesize
398KB
MD58747fb0c494bc805a0f8be194e82a99f
SHA1eb3cdca1ff70a573e5368db6e2fd32f7ef670443
SHA2562ae01c5c9bf71a9cba2bfe89c585cf0e9d471080559de33975c34f8058d1e17f
SHA5124dab2d6f8389a9f1c020aad6baea6cab9bfb5318e59ce1ce6f736cd17109f5e5c55a4572b8a5af3ea2ed32ca8a5980acb9f30211283be38e9edbd7f066704360
-
Filesize
63KB
MD5964dac46350af226913b3126e1183ab9
SHA14a6cb107069af8af44e8a644a8585f8dcd825434
SHA2569814cf1bed7363e9404e251b128b4e70f8cd00e186e4d79bf81003046b6d0162
SHA5121dac604696b4912e97b6fb437f139919af7de614c0d9ca0fc8dbfce7cd78231fc87ab620f13ad06d6079e1b39c6abc7d8683a0b0931bcd6cb32dc3c708d571a5
-
Filesize
21KB
MD5e6fcf516d8ed8d0d4427f86e08d0d435
SHA1c7691731583ab7890086635cb7f3e4c22ca5e409
SHA2568dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337
SHA512c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e
-
Filesize
357B
MD5a2b76cea3a59fa9af5ea21ff68139c98
SHA135d76475e6a54c168f536e30206578babff58274
SHA256f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839
SHA512b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad
-
Filesize
401KB
MD590f3b8789b1a9e95fe6be3601f0ad1fb
SHA114bb0a612e9236a2abd91656d65c733ba87ae72d
SHA256813602946a53cb3cfd91984b9af73228f0889a2f16a7d8157191408c6dc30337
SHA512334c4587d312402f4ab9bbd5f40393a3cec46e2e5af6c880cada2de2f26ae893c38722132b5485d599b0634c0f3ef93888f02a972657a03ccc6c885c2cd857e4